Privacy policy

This page explains how the CX AI Pulse assessment (operated at cx-ai-pulse.khal.ai) collects, uses, stores, and shares personal information. The Service is sponsored by KHAL AI in partnership with the Support Driven community and is built by Namastex Labs LLC and DEX. KHAL AI is the data controller. Questions: privacy@khal.ai.

1. What we collect

• Lead form fields: full name, work email, company name — used to address you, to deliver results, to administer the sweepstakes, and (with opt-in) to suggest peer introductions.
• Assessment answers: the text of each answer (typed or transcribed from audio), plus a structured classification computed by an LLM. Audio originals are deleted within 7 days of transcription.
• Approximate country, derived from your IP at lead submission. We discard the raw IP after deriving the country.
• Essential cookies — see the Cookie Policy.

We do not collect payment information, government identifiers, location coordinates, social-media login tokens, or behavioral advertising signals.

2. Why we collect it

• To deliver the assessment and your results.
• To compose anonymized, aggregate research insights.
• To administer the sweepstakes and credit referrals.
• To measure operational health (completion, drop-off).
• To respond to data-subject requests and comply with the law.

Legal bases (GDPR): consent for participation and the sweepstakes, legitimate interest for operation and security, legal obligation for sweepstakes record-keeping. LGPD equivalents apply for Brazilian residents.

3. How we share

We do not sell personal data and we do not share it with advertisers or data brokers. We share only with named sub-processors (Vercel, Neon, Anthropic, ElevenLabs) strictly to operate the Service, and as anonymized aggregates (with the N≥5 rule below). Support Driven receives only published aggregate findings; no PII.

4. Retention

Lead form fields and raw answers are kept until 90 days after Chicago Expo 2026-08-26 (i.e., 2026-11-24) unless you request deletion sooner. Audio originals: within 7 days. Anonymized bucket-level aggregates (which contain no personal data) survive indefinitely. Audit log of administrative actions: 7 years (sweepstakes compliance).

5. Anonymization (N≥5)

Public outputs (Tier 1 dashboard, Tier 2 PDF) are computed only at the (industry, company size) bucket level. Any cell with fewer than 5 distinct respondents is suppressed: the dashboard shows —, not the count. Company names are never published. The rule is enforced server-side and verified in CI.

6. Your rights

Under GDPR (EU/UK), LGPD (Brazil), CCPA/CPRA (California), and equivalent US-state laws, you have rights to access, rectification, erasure, portability, restriction, objection, and withdrawal of consent. Use:

• Export my data — emails you a one-click link to download a JSON copy.
• Delete my data — emails you a confirmation link; deletion proceeds in two stages (soft delete, then hard delete after a 30-day grace period).
• For anything else, write to privacy@khal.ai.

7. Security

Traffic is encrypted in transit (TLS 1.2+). Data at rest is encrypted (AES-256). Production access requires MFA. Administrative actions (sweepstakes draw, exports) are recorded in an immutable audit log. We do not log personal identifiers at INFO/DEBUG levels.

8. International transfers

The Service is hosted on Vercel infrastructure (default regions: São Paulo, US). Where transfers from EU/UK to the US apply, we rely on the EU-US Data Privacy Framework (Vercel and Anthropic participate) and Standard Contractual Clauses with sub-processors that do not.

9. Changes

Material changes will be announced on the home page at least 14 days before they take effect.

10. Contact

• Privacy questions and requests: privacy@khal.ai
• Security disclosures: security@khal.ai